An "extremely critical flaw" in Microsoft Word 2000 is currently being exploited by malicious attackers, which could lead to remote execution of code on a user's system, security researcher Secunia advised Tuesday.

Security company Symantec, which several days ago detected the exploit, Trojan MDropper.Q, noted that it uses a two-step attack. Trojan MDropper.Q exploits the Microsoft Word vulnerability to drop another file, a new variant of Backdoor.Femo, according to a security advisory by Symantec. "As with other recent (Microsoft) Office vulnerabilities, documents incorporating the exploit code must be opened with a vulnerable copy of Microsoft Word 2000 for it to work," Symantec's advisory stated. "As such, it makes the vulnerability unsuitable for the creation of self-replicating network worms." Microsoft has not yet issued a patch for the vulnerability, and users are advised to forgo opening untrusted documents.